Intel vPro® Platform
Intel Manageability Forum for Intel® EMA, AMT, SCS & Manageability Commander
2929 Discussions

Intel EMA Certificate Chaining Issue

RyomaFujiki
Beginner
20,475 Views


Hello.
I am in the process of setting up EMA in Admin Control Mode, but I am unable to provision AMT with TLS-PKI.
I can see the following error in the Platform Manager
Error Message: Unable to get activation certificate chain from the database.

I have tried the following article on this, but it did not resolve the issue.
https://www.intel.co.jp/content/www/jp/ja/support/articles/000090529/software/manageability-products.html

I can connect to CIRA without any problem.
The version of EMA is 1.7.1.
I am using GoDaddy's certificate.

If you know of any solutions, please let me know.

0 Kudos
48 Replies
MIGUEL_C_Intel
Moderator
5,772 Views

Hello RyomaFujiki,


We are glad Intel® EMA 1.7.1. is working on some endpoints. Do you mind clarifying if the working machines are running Intel® AMT v12? 


Regarding the endpoint with issues, please take a picture from the EMA WebUI, showing the provisioning status of it, plus a log from the endpoint. 


Located at: EMA log from the endpoint:

[System drive]\Program Files\Intel\EMA Agent\EMAagentlog


We look forward to hearing from you.


Best regards,

Miguel C.

Intel Technical Support Technician




0 Kudos
RyomaFujiki
Beginner
5,767 Views

Hello Miguel C,

Thanks for the reply.

To answer your question.

We have prepared an image showing that we are provisioned in AMT v12.
Please check the file "AMT_v12_Provisioned.png".

We have prepared  images of the provisioning status of the endpoint with issues.
Please check the files "Provisioning_Status_01" and "Provisioning_Status_02".

No logs were output for the endpoint.

That is all.
Best regards.

0 Kudos
MIGUEL_C_Intel
Moderator
5,760 Views

Hello RyomaFujiki,


Thank you for providing us with the pictures of the working and non-working machines. 


Do you mind performing the troubleshooting below and sharing the log or a picture with the error messages?


a) From the EMA WebUI, select the unprovisioned machine, go to actions and select “Stop managing”.

b) Then, go to the endpoint (AMT v16) and unprovision it, we suggest using ACUconfig tool

1) Open a command line as Administrator

       2) Go to the path c: \Program Files (x86) \Intel \SCS ACUConfig

       3) Run:  acuconfig /verbose /output console unconfigure /adminpassword password /full


Note:

https://downloadcenter.intel.com/download/30340/Intel-Configurator

Download and unzip the Intel® Configurator v12.2n into the endpoint

Open the unzipped folder, open the Configurator folder and run ACUConfigInstaller.msi


d) Open the Platform Manager at the EMA WebUI and gather a log of the new installation or a picture. The complete provision can take almost 4 to 5 minutes.


We look forward to hearing from you.


Best regards,

Miguel C.

Intel Technical Support Technician


0 Kudos
RyomaFujiki
Beginner
5,753 Views

Hello Miguel C,

Thank you for your response.

I followed the procedure and collected logs and images.
Provisioning is not done.
Please check.

Regarding the timestamps in the logs, the endpoints and EMA Server are off by 4 hours due to regional settings.

Regards,

Ryoma Fujiki

0 Kudos
MIGUEL_C_Intel
Moderator
5,749 Views

Hello, RyomaFujiki,


Thank you for your quick response.


I reviewed the logs and screenshot and noted the endpoint was not unprovisioned. I am resending the steps and clarifying some of them.

 

a) From the EMA WebUI, select the unprovisioned machine, go to actions and select “Stop managing”.

b) Then, go to the endpoint (AMT v16) and unprovision it, we suggest using ACUconfig tool

1) Open a command line as Administrator

    2) Go to the path c: \Program Files (x86) \Intel \SCS ACUConfig

    3) Run: acuconfig /verbose /output console unconfigure /adminpassword <password> /full


Note:

<password>  Type the password created on the EMA configuration.


Download and unzip the Intel® Configurator v12.2n into the endpoint

https://downloadcenter.intel.com/download/30340/Intel-Configurator

Open the unzipped folder, open the Configurator folder and run ACUConfigInstaller.msi


c) Restart the endpoint and install the EMAagent file.

d) Open the Platform Manager at the EMA WebUI and gather a log of the new installation or a picture. The complete provision can take almost 4 to 5 minutes.


We look forward to hearing from you.


Best regards,

Miguel C.

Intel Technical Support Technician


0 Kudos
RyomaFujiki
Beginner
5,732 Views


Hello Miguel C,

Thank you for your response.

I followed the procedure again and prepared images and logs.
Provisioning is not done.
Please confirm.

I checked the EMA 1.8.0 release, updated and confirmed, but the problem was not resolved.

I prepared another Alder Lake machine (non-OCR supported) and checked it, but the same problem occurred.
Is it possible that the problem is caused by Intel AMT Version?
Regards,

Ryoma Fujiki

0 Kudos
MIGUEL_C_Intel
Moderator
5,718 Views

Hello, RyomaFujiki,


Thank you for your quick response with the outcome using Intel® EMA 1.7.1 and 1.8.0.


I reviewed the limitation; and found the following: On the TLS-relay option, the option to resolve hostnames via Domain Name System is unavailable (DHCP option 15). In the case of the newer machines AMT v16, it is necessary to manually install the PKI DNS suffix in the endpoints.


  1. Do you mind confirming if the endpoints with AMT v16 have a wired connection without a docking station?
  2. Is it possible to perform a test using the latest version of Intel® Endpoint Management Assistant (Intel® EMA) v1.8.0 with the Client Control Mode option? Please remember to stop managing the endpoints from the actions option in the EMA WebUI.


Look forward to your response; if there is no response to this email, we will send you a follow-up on 8/1/2022.


0 Kudos
RyomaFujiki
Beginner
5,707 Views

Hello Miguel C,

Thank you for the information that this is a limitation in AMT v16.

We can test with a wired connection and the CCM option, but we want to check the OCR functionality and need to provision with ACM.
Therefore, we want to install DNS suffix manually.
From my research, I believe we are to use USBFileTool, but I am not sure what command to enter.
I would appreciate it if you could give me specific instructions.

That is all.
Best regards

0 Kudos
MIGUEL_C_Intel
Moderator
5,694 Views

Hello, RyomaFujiki,


We will gladly assist you with the configuration.


Please let us know if you are referring to USB redirection when you talk about the USB file tool. Details about USB redirection are available in section 1.2.8

https://www.intel.com/content/dam/support/us/en/documents/software/manageability-products/intel-ema-admin-and-usage-guide.pdf#page=13


The command examples are in the document below.

Intel® Endpoint Management Assistant (Intel® EMA) API Sample Scripts

https://www.intel.com/content/www/us/en/download/19693/30076/intel-endpoint-management-assistant-intel-ema-api-sample-scripts.html


Look forward to your response; if there is no response to this email, we will send you a follow-up on 8/2/2022.


0 Kudos
RyomaFujiki
Beginner
5,657 Views

Hello Miguel C,

Thank you for your response.

I was not referring to USB Redirection, but to USBFile.exe in the AMT SDK.
How specifically can I manually change the DNS suffix to allow ACM provisioning with AMT v16, either with USBFile.exe or USB Redirection?

I saw an example of the USB Redirection command, but was not sure how to change the DNS suffix.

Regards,

Ryoma Fujiki

0 Kudos
JoseH_Intel
Moderator
5,588 Views

Hello RyomaFujiki,


We are looking into this. Please allow us some time for research.


Regards


Jose A.

Intel Customer Support Technician


0 Kudos
MIGUEL_C_Intel
Moderator
5,460 Views

Hello RyomaFujiki,


The USB tool available at the SDK is necessary when you are using a Self-Certificate, and the hash of it is not included in the BIOS firmware of the AMT machines.


In your case, the hash of GoDaddy’s Certificate is already in the BIOS firmware; you just need to access the MEBx BIOS (Ctrl+p) and type the PKI DNS suffix if you are using static IP addresses. If you are using DHCP, option 15 in ISS is active in the EMA server; the EMA agent file will configure the PKI DNS suffix in the endpoints. 


If a web meeting is necessary, what is the earliest hour to meet with us from Monday to Friday?


Look forward to your response; if there is no response to this email, we will send you a follow-up on 8/8/2022.


0 Kudos
RyomaFujiki
Beginner
5,451 Views

Hello Miguel C,

Thank you for your response.

Thanks for the info about the USB tool.
We have found that we do not need it.

I read your response and am I correct in understanding that due to limitations, we cannot provision with ACM on AMT v1.6 PCs unless we are using a static IP address?


I tried provisioning manually with the PKI DNS suffix, but provisioning failed on an AMT v1.6 PC.
The error seems to be the same as before.
The procedure is as follows. Please point out if I am wrong.

Create an AMT profile with the following settings
General :Use TLS Relay
Management Interfaces :Check all items
IP Address :Use a static IP address from host
Create an endpoint group, apply the profile you created, and configure TLS-PKI settings.
Set a static IP address for the endpoint.
4. Unprovision the endpoint PC.
5. Access MEBx and enter "ematest.f5.si" for the PKI DNS suffix
6. Install EMA Agent on the endpoint PC
7. Verify that it is provisioned

The above steps allowed me to provision ACM on my AMT v12 PC, but not on my AMT v16 PC.

Regards,

Ryoma Fujiki

0 Kudos
MIGUEL_C_Intel
Moderator
5,441 Views

Hello RyomaFujiki,


I am glad you were able to add the PKI DNS suffix to the endpoints without the USB tool. 


It is possible to provision the endpoints in Admin Control Mode, EMA software v1.8.0 using DHCP or static IP addresses. Both options work with CIRA and TLS-relay communication.


RyomaFujiki; we would like to set a Web meeting with you, using Microsoft Teams. Please let us know the earliest hour from Monday to Friday to set the meeting. We are interested in your case and resolving the issue while using endpoints with AMT version 16.


The EMA configuration looks good.


Look forward to your response; if there is no response to this email, we will send you a follow-up on 8/9/2022.


0 Kudos
RyomaFujiki
Beginner
5,376 Views

Hello Miguel C,

Thank you for your response.

 

We would like to schedule a web conference in Teams on Friday, 8/12 at 10:00 JST.

 

Regards,

Ryoma Fujiki

0 Kudos
MIGUEL_C_Intel
Moderator
5,371 Views

Hello, Ryoma Fujiki,


By any chance, is it possible to reschedule the web meeting for 8:00 AM JST on Friday, 8/12?


I look forward to hearing from you.


0 Kudos
RyomaFujiki
Beginner
5,349 Views

Hello Miguel C,

Regarding the web conference, we are okay to schedule for Friday 8/12 at 8:00 AM JST.

Materials will be shared for a smooth meeting.

Ryoma Fujiki

0 Kudos
MIGUEL_C_Intel
Moderator
5,331 Views

Hello, Ryoma Fujiki,


We have sent you a private email; in order to collect sensitive details about your setup and issue.  Please reply to the private email.


I look forward to your feedback.


0 Kudos
RyomaFujiki
Beginner
5,307 Views

Hello Miguel C,
I was unable to respond yesterday due to a national holiday.
The person who has access to the account email will be on vacation until 8/19 and will respond to your email after 8/22.
We'll decide on the meeting dates at that time as well.

Ryoma Fujiki

0 Kudos
MIGUEL_C_Intel
Moderator
5,274 Views

Hello, Ryoma Fujiki,


We understand; there is no rush.  We will wait for your update after 8/22.


0 Kudos
RyomaFujiki
Beginner
5,172 Views

Hello Miguel C,

Regarding the web conference, we are okay to schedule for Friday 8/26 at 9:00 AM JST.
It is difficult to schedule a meeting starting at 8:00 AM.
I would also like to know if there is any information I should prepare for the conference to make it run smoothly.

Ryoma Fujiki

0 Kudos
Reply